GDM CONSULT LIMITED PRIVACY POLICY

Effective Date: June, 3rd 2024

Introduction

GDM Consult Limited (“we,” “our,” “us”) is committed to protecting the privacy and security of our clients’ personal information. For the purpose of this policy, GDM Consult Limited will hereinafter be referred to as “GDM

This Policy seeks to establish global minimum privacy and data protection standards for the processing of Personal Information and to implement basic concepts of privacy by default and privacy by design. This Policy also seeks to provide a single document that can direct associates and contractors to the various privacy procedures that GDM Consult Limited has adopted to comply with Privacy and Data Security Laws (defined below) and that such associates and contractors must comply with. This Privacy Policy further outlines how we collect, use, disclose, and protect your information. By using our services, you agree to the practices described in this policy.

1. Definitions

For the purpose of this policy,

1.1 Controller

Controller or “business” means the legal entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Information. In most cases, this will be the Company;

 1.2 Data Subject

Any person whose Personal Information is processed by or on behalf of the Company. See Personal Information for examples.

1.3 Information Asset

A definable piece of information, regardless of format, which may be collected, developed, or otherwise processed by the Company. Information assets may include, but are not limited to, all forms and types of financial, business proprietary information, customer related information, strategies and processes, research and development, and personnel information.

1.4 Information Asset Owner

The Company associate responsible for the information assets within a Company business or department. The Information Asset Owner is knowledgeable about how the information Asset is acquired, transmitted, stored, deleted, and otherwise processed.

1.5 Information Asset Custodian

The person who must maintain the protection of Information Assets according to the Information classification associated with it and identified by the Information Asset Owner. Information Asset custodians are responsible for the technical environment and / or underlying storage structure.

1.6 Personal Information

“Personal Information” is any information asset that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes information that identifies, describes, or is capable of being associated with a known or identifiable individual’s personal characteristics, communications and other works, surroundings and movements, and behaviors online and in the real world, such as data generated by an individual’s Personal use of a Company product or services. Personal Information also includes Information that identifies or describes members of an individual’s household, such as a Postal address, home phone number, demographic information like number of members and household income levels, and information collected from shared use of the Company’s Products and services. Examples include: email addresses, names, phone numbers, Postal addresses, IP addresses, location data, voice and video data of personal spaces, Fingerprints and other biometric identifiers, and cookies and other information which may be used to identify a data subject or the subject’s online browsing activity.

1.7 Privacy and Data Security Laws

All relevant domestic and international privacy and data protection laws, current and future, governing privacy, data security, and Personal Information. Relevant laws include Cybercrimes (Prohibition, Prevention, Etc.) Act 2015; National Information Technology Development Agency Act (NITDA Act) 2007; General Application and Implementation Directive (GAID) 2025, Nigeria Data Protection Act (NDPA) 2024 governing Nigerian residents and General Data Protection Regulation (GDPR) for subjects of the European Economic Area and other similar laws and regulations in Nigeria and other jurisdictions where the Company has physical operations or which govern Personal Information which Company processes (collectively, the “Privacy and Data Security Laws”)

1.8 Privacy Committee

The committee appointed by the Company to lead and coordinate its Privacy Program (defined below). The Privacy Committee shall coordinate with other functions as necessary.

1.9 Processing

Any operations which are performed on Personal Information or on sets of Personal Information, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, or through transmission.

1.10 Processor

In relation to Personal Information, a Processor is any person or entity (other than an Associate or other personnel of the Data Controller) who processes the data on behalf of a data Controller and strictly for the purposes of providing the contracted-for services to the data Controller. Processors, including where GDM acts as a Processor, do not: (a) collect, retain, use, or disclose Personal Information for any purpose other than as necessary for the specific purpose of performing the service to the Data Controller, including collecting, retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the service; or (b) sell the Personal Information.

1.11 Sensitive Personal Information

Specific Personal Information, where its unauthorized access, processing or disclosure may result in increased risk of harm to a Data Subject. Examples include: NDPR Special categories (listed below), data affecting the data subject’s rights and freedoms in a negative way, financial data, location data, or social security numbers. If applicable Privacy and Data Security Laws further define Sensitive Personal Information or additional requirements on entities who process such data, then those laws would also apply. Certain types of sensitive personal information are subject to additional protection under the NDPR. These are listed under Article 2.5 of the NDPR and Article 9 of the GDPR as “special categories” of personal Data. The special categories are:

  1. Personal data revealing racial or ethnic origin.
  2. Political opinions.
  3. Religious or philosophical beliefs.
  4. Trade union membership.
  5. Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
  6. Data concerning health.
  7. Data concerning a natural person’s sex life or sexual orientation.

Processing of these special categories is prohibited, except in limited circumstances set out in Article 2.5 of the NDPR and Article 9 of the GDPR.

For the purposes of this document Personal Information and / or Sensitive Personal Information will be collectively referred to as “Personal Information”

2.0 Applicability and Scope

This policy applies to all Company associates, contractors, consultants, temporary workers, and other workers across the company. This document applies to Company’s Information Assets relating to Personal Information or Sensitive Personal Information in electronic, physical or other formats. This document applies to business activities that process Personal Information. Other policies may also apply, such Acceptable Use Policy. If there is a conflict between any other Policy and this Company Privacy Policy as it relates to Personal Information, then this Company Privacy Policy shall control.

3.0 Privacy Program

A collection of policies and procedures, including this Company Privacy Policy, reasonably designed to

  1. address privacy and data security risks related to Company’s business operations, and
  2. protect the privacy, confidentiality, integrity and availability of Personal Information processed by or on behalf of the Company. The Privacy Program will contain controls and procedures appropriate to Company’s size and complexity, the nature and scope of Company’s activities, and the sensitivity of the Personal Information, including:
  3. the identification of reasonably foreseeable risks, both internal and external, that could result in a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise processed by or on behalf of Company and an assessment of the sufficiency of any safeguards in place to control these risks.
  4. the design and implementation of reasonable controls and procedures to address and mitigate such risks.
  5. any other such reasonable controls, practices, or procedures as may be necessary to comply with the requirements of the Privacy and Data Security laws.
  6. development of a mechanism for reasonable and appropriate testing or monitoring of the effectiveness of those controls and procedures that were set out as part of the Privacy Program.

4.0 Privacy Committee Role

4.1 Company will nominate relevant stakeholders to participate in a Privacy Committee that shall have the responsibilities as listed in this document and shall otherwise be accountable for the development, implementation, and maintenance of the Privacy Program. The Privacy Committee may include members from various Company departments, including Legal, Human Resources, Finance, IT, Cybersecurity etc.

4.2 The Privacy Committee will implement and maintain policies and procedures that support this Policy and Company’s overall information privacy, security, and governance program.

4.3 The Privacy Committee will also oversee the development, maintenance, and implementation of policies and procedures that will provide Data Subjects the ability to contact the Company about all issues related to processing of their Personal Information and to the exercise of their rights under the applicable privacy and data security laws. Where Company owes an obligation to such Data Subjects under applicable Privacy and Data Security Laws, the Company will provide methods of contact that route data subjects’ communications to the appropriate Information Asset Owners of Personal Information and / or Privacy Committee where appropriate. This may include, for example, routing Data Subjects to existing customer relations or support staff as well as other reasonable means which comply with the Company’s obligations under Privacy and Data Security Laws.

5.0 Privacy Committee Responsibilities

Without prejudice to the foregoing, the Privacy Committee may

  1. Lead and coordinate the drafting and implementation of the privacy program;
  2. Maintain a working knowledge and understanding of legal and regulatory, cybersecurity, and privacy as set forth in the Privacy and Data Security Laws;
  3. Monitor compliance with this policy, the Privacy and Data Security Laws and other procedures of Company in relation to the protection of Personal Information, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits as required to continue to comply with the Privacy and Data Security Laws;
  4. As necessary and appropriate, provide advice and recommendations to Company’s senior leadership, including the CEO and Board of Directors, on matters related to privacy and data security;
  5. Support the Legal Department to cooperate with the regulatory authority or other government agencies;
  6. Coordinate with the necessary Company departments to identify and assess reasonably foreseeable internal and external risks to privacy and security;
  7. Collaborate with the appropriate internal Information Asset owner department (and external partners (e.g., outside counsel) to develop policies, procedures, and controls to comply with the Privacy and Data Security Laws;
  8. Work with the Information Asset Owner, Legal and the Information Asset Custodian to set reasonable minimum standards to protect the confidentiality, integrity, and availability of Personal Information processed by or on behalf of Company;
  9. Develop, implement, and revise as necessary, policies and / or procedures for managing third-party service providers, vendor and/or supplier compliance with Company third party privacy standards and applicable Privacy and Data Security Laws;
  10. In collaboration with the appropriate internal and external partners, develop and implement training on Company’s privacy program.

6.0 Vendor Management

Company will comply with Privacy and Data Security Laws as they relate to the engagement of vendors who process Personal Information on behalf of Company or Personal Information received from Company. As required by Privacy and Data Security Laws, Company shall ensure that vendors who will process Personal Information on behalf of Company:

  1. provide sufficient guarantees to implement appropriate physical, technical, and organizational security measures in such a manner that such vendors’ processing of Personal Information;
  2. provide means to assist GDM in responding to Data Subject requests about Personal Information, such as understanding the content or removal of same;
  3. will not collect, retain, use, or disclose Personal Information for any purpose other than as necessary for the specific purpose of performing the service to GDM, including collecting, retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the service to GDM; and
  4. will not sell the Personal Information in a context defined under applicable Privacy and Data Security laws as a “sale.”

6.1 Company’s engagement of vendors who will process the Personal Information on behalf of Company or Personal Information received from Company will be governed by a binding contract that includes appropriate security and privacy protection terms as required by Privacy and Data Security Laws.

7.0 Disposal and Destruction of Data

Company will retain records containing Personal Information to the extent necessary for business Purposes or to comply with its obligations under applicable Privacy and Data Security Laws and destroy such records once those purposes have been accomplished in accordance with the requirements under applicable Privacy and Data Security Laws.

8.0 Privacy Training

The Privacy Committee shall establish programs for training existing associates, new hires, and relevant third-party contractors who process or have access to Personal Information on the relevant requirements of Privacy and Data Security Laws. Training may include, depending on the type of Data and applicable law, how to respond to various data subject requests, proper handling of Personal Information to maintain confidentiality and integrity of the data, and what to do in the event of an information security incident.

9.0 Individual Rights

9.1 In consultation with the Company’s Legal department, each business entity of the Company will implement appropriate governance and controls to comply with requirements under Privacy and Data Security Laws which apply to, which may include: access, correction, erasure, objection, restriction, portability rights and right to give and withdraw consent to the right of selling Personal Information

9.2 The Company will implement and maintain procedures for receiving, logging, and responding to requests from Data Subjects. These procedures shall comply with the Privacy and Data Security Laws as they apply to Company. The Company will work with appropriate subject-matter experts to verify such compliance.

9.3 Where the Company makes automated decisions based on processing Personal Information, including profiling, that may result in an adverse legal effect to Data Subjects, the Company will notify Data Subjects of this processing, provide individuals with appeals process where they can challenge adverse decisions, as well as the ability not to be subject to such processing.

10.o Limitations on the Collection, Use, and Disclosure of Personal Information

Each business entity of the Company shall implement and maintain procedures designed to limit the collection, use, disclosure, and processing of Personal Information to the extent necessary to further its business objectives and legal obligations.

11.0 Transfer of Data

11.1 For Personal Information subject to NDPR and GDPR or where otherwise required by applicable Privacy and Data Security Laws, Company shall implement and maintain procedures to safeguard the transfer of Personal Information across national boundaries. These procedures shall comply with Privacy and Data Security Laws, and that compliance shall be verified by appropriate subject matter experts.

11.2 For Personal Information transferred between corporate entities in different countries and subject to NDPR and GDPR or where otherwise required by applicable Privacy and Data Security Laws, the Company shall draft and execute intra-company agreements between relevant corporate entities ensuring that transfers of Personal Information of data subjects shall be protected as required under Privacy and Data Security Laws.

12.0 Online Privacy Notice

12.1 Where required under Privacy and Data Security Laws, Company shall:

  1. post on its public websites, domains, and mobile applications, a notice that explains how the Company processes Personal Information obtained through visitors’ use of the sites, applications, and online services that are operated or controlled by Company; and
  2. maintain this notice on its public websites and update as needed.

12. 2 When collecting Personal Information, as required under Privacy and Data Security Laws, the following information must be provided within the Privacy Notice:

  1. The contact details of the Company and, where applicable, the Company’s privacy representative;
  2. The purposes of the processing for which the Personal Information are intended as well as the legal basis for the processing;
  3. The recipients or categories of recipients of the Personal Information, if any;

12.3 Where applicable, the fact that the Company intends to transfer Personal Information to third parties or transfer outside the country of origin, along with the purpose of the transfer.

13.0 Information We Collect

13.1 Personal Information

We collect personal information that you voluntarily provide to us when you register for our services, such as your name, email address, phone number, company information, and payment details.

13.2 Non-Personal Information

We collect non-personal information such as browser type, operating system, and IP address to improve our services and enhance your experience.

13.3 How We Use Your Information

13.3.1 Provide and Improve Services: We use your information to deliver and enhance our services, including processing transactions, providing customer support, and improving our offerings.

13.3.2 Communication: We use your contact information to send you updates, newsletters, marketing communications, and other information that may be of interest to you. You can opt out of these communications at any time.

13.3.3 Legal Compliance: We may use your information to comply with applicable laws, regulations, and legal processes.

14.0 Information Sharing and Disclosure

14,1 Service Providers

We may share your information with third-party service providers who assist us in delivering our services, such as payment processors and IT support.

14.2 Legal Obligations

We may disclose your information if required by law or if we believe such action is necessary to comply with legal processes, protect our rights, or ensure the safety of our users.

14.3 Data Security

We implement appropriate technical and organizational measures to protect your personal information from unauthorized access, use, or disclosure. However, no internet or email transmission is ever fully secure or error-free.

14.4 Your Rights

You have the right to access, correct, update, or delete your personal information. You may also object to or restrict the processing of your data in certain circumstances. To exercise these rights, please contact us at [v.afolabi@gdmgroup.africa].

14.5 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and use personal information about you. You can manage your cookie preferences through your browser settings.

14.6 Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or the content of these websites. We encourage you to review the privacy policies of any third-party sites you visit.

15.0 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on our website and updating the effective date at the top of this page.

16.0 Policy Revision and Supersession Clause

This Policy, originally enacted on [June 3, 2024], has been duly reviewed, amended, and revised as of [June 2, 2025]. All preceding versions are hereby superseded and rendered null and void to the extent that they conflict with the provisions herein. Any references to prior iterations shall be construed in accordance with this revised document, which shall govern all relevant matters henceforth.

Contact Us:

If you have any questions or concerns about this Privacy Policy, please contact us at:

GDM Consult Limited

Address: 9, Jogunomi Street, Gbagada Phase II, Gbagada, 100234, Lagos, Nigeria.

Phone: +234 803 406 9956, +234 913 715 0841.

Website: http://www.gdmgroup.com.ng

Email: [v.afolabi@gdmgroup.africa]

Effective Date: June 3rd, 2024

Revised Date: June 2nd, 2025

Future-Proofing Businesses: How to Lead Digital Transformation in the Age of Disruption

Tey Bannerman - Partner, McKinsey & Company